Amdt. Dated April 27, 2007 - 3 - VAINSTEIN et al 

Reply to Office Action of July 14, 2006 Appl. No. 10/075,194 

Amendments to the Claims 

The listing of claims will replace all prior versions, and listings of claims in the 
application. 

1 . (Currently Amended) A method for providing access management 
through use of a plurality of server machines associated with different locations, said 
method comprising the acts of: 

(a) receiving, at a first server machine of the plurality of server machines, an 
access request to access a secure it e ms item from a us e r of a first client machine at a first 
location; [0091] 

(b) authenticating the a user of the first client machine at the first location; 

(c) authenticating the first client machine; 

(d) upon successful authentication in steps (b) and (c), retrieving a user key 
permitting access to an encrypted header of the secured item, the encrypted header 
including access rules for the secured item; 

(d) {e) d e termining wh e ther th e us e r is p e rmitted to gain permitting access to the 
secure item s e cur e it e ms via the first location when said authenticating (b) and (c) are 
successful; 

(e) £JQ permitting the us e r to gain access to the secure item se cur e it e ms via the 
first server machine when said determining (d) £e) determines that the user is permitted 
to gain access to the secure item s e cur e it e ms from the first location; and 

(£> (g) preventing th e us e r to gain access to the secure item secur e it e ms via the 
first server machine when said determining (d) £e) determines that the user is not 
permitted to gain access to the secure item s e cur e items from the first location. 
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2. (Currently Amended) The A method as recited in claim 1, wherein said 
determining (d) (e)comprises: 

(d±) (el) obtaining access privileges associated with the user to determine at least 
permitted locations for the user; and 

(d2) (e2) determining whether the user is permitted to gain access to the secure 
item s e cur e items from the first location based on the permitted locations associated with 
the user. 

3. (currently amended) The A method as recited in claim 1, wherein, when 
permitted by said permitting (e), th e user gain s allowing access to the secure item s ecure 
it e ms from the first location via the first client machine and the first server machine. 

4. (Currently Amended) The A method as recited in claim 1, wherein, when 
permitted by said permitting (e) {f}, the us e r gains allowing access to the secure item 
s e cur e items from the first location via the first client machine and the first server 
machine. 

5. (Currently Amended) The A method as recited in claim 1 , wh e r e in said 
m e thod compris e s further comprising the acts of: 

(g) £h) preventing th e user from gaining access to the secure item s e cur e it e ms via 
any of the server machines other than the first server machine when said determining (d) 
(e) determines that the user is permitted to gain access to the secure item s e cur e it e ms 
from the first location. 
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6. 



(Currently Amended) The A method as recited in claim 1, 



wherein said determining (d) £e) comprises determining whether the user is 
permitted to gain access to the secure item s e cure it e ms via the first client machine and 
the first server machine, and 

wherein said permitting (e) (f) operates to permit the user to gain access to the 
secure item secur e items via the first client machine and the first server machine when 
said determining (d) determines that the user is permitted to gain access to the secure 
item secure items via both the first client machine and the first server machine. 

7. (Currently Amended) The A method as recited in claim 1, 
wherein said determining (d) (e) comprises determining whether the user is 

permitted to gain access to the secure item secure items via the first server machine, and 

wherein said permitting (e) (f) operates to permit the user to gain access to the 
secure item s e cur e items via the first server machine when said determining (d) (e) 
determines that the user is permitted to gain access to the secure item s e cur e it e ms via the 
first server machine. 

8. (Currently Amended) The A method as recited in claim 1, 
wherein said determining (d) (e) comprises determining whether the user is 

permitted to gain access to the secure item secur e items via the first client machine, and 

wherein said permitting (e) £f} operates to permit the user to gain access to the 
secure item s e cure it e ms via the first client machine when said determining (d) £e) 
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determines that the user is permitted to gain access to the secure item s e cure it e ms via the 
first client machine. 

9. (Currently Amended) The A method as recited in claim 1 , whoroin said 
method compris e s further comprising the acts of: 

(g) £h) preventing the user from gaining access to the secure item secure items via 
any of the server machines other than the first server machine when said determining (d) 
£e} determines that the user is permitted to gain access to the secure item s e cure items 
from the first location. 

10. (Currently Amended) The A method as recited in claim 9, wherein said 
preventing (g) £h) of the user to gain access to the secure item s e cure items via any of the 
other server machines comprises reconfiguring at least any of the other server machines 
that previously permitted the user to gain access to the secure item s e cure items 
therethrough. 

1 1 . (Currently Amended) The A method as recited in claim 10, wherein said 
permitting (e) (f) of the user to gain access to the secure item secur e it e ms via the first 
server machine comprises reconfiguring the first server machine to permit access by the 
user to the secure item s e cur e it e ms via the first server machine. 
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12. (Currently Amended) The A method as recited in claim 11, wherein said 
determining (d) (e) comprises: 

(dl) obtaining access privileges associated with the user to determine at least 
permitted locations for the user; and 

(d2) determining whether the user is permitted to gain access to the secure item 
s e cur e it e ms from the first location based on the permitted locations associated with the 
user. 

13. (Currently Amended) The A method as recited in claim 1, wherein said 
permitting (e) (f)of the user to gain access to the secure item s e cur e it e ms via the first 
server machine comprises reconfiguring the first server machine to permit access by the 
user to the secure item secur e items via the first server machine. 

14. (Currently Amended) The A method as recited in claim 1, wherein eaefe 
ef the secure it e ms item is a secured file, the secured file having a format that comprises 
a header including security information as to who and how the secure item can be 
accessed; an encrypted data portion including data of the secured s e cure file encrypted 
with a file key according to a predetermined cipher scheme, and wherein the header is 
attached to the encrypted data portion to generate the secured file. 

15. (Currently amended) The A method as recited in claim 14, wherein the 
security information in the header of the secured file facilitates the restricted access to 
the secured file. 
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16. (Currently amended) The A method as recited in claim 15, wherein the 
security information in the header of the secured file points to or includes the access 
rules and a file key. 

17. (Currently amended) The A method as recited in claim 14, wherein the 
security information is encrypted with a user key associated with the a user. 

1 8. (Currently amended) The A method as recited in claim 14, wherein the 
security information includes the file key and access rules to the restricted access to the 
secured file. 

19. (Currently amended) The A method as recited in claim 1 8, wherein the 
file key is retrieved to decrypt the encrypted data portion in the secured file when access 
privilege of the user is within access permissions by the access rules. 

20. (Currently amended) The A method as recited in claim 1 8, wherein the 
access rules are expressed in a markup language. 
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2 1 . (Currently Amended) A method for providing access management 
through use of a distributed network of server machines, said method comprising the acts 
of: 

(a) receiving, at first server machine of the plurality of server machines, an 
access request to access a secure item secure it e ms from a us e r of a first client machine; 

(b) authenticating a the user of the client machine; 

(c) authenticating the first client machine; 

{d} upon successful authenticating in step (b) and (c\ retrieving a user key 
permitting access to an encrypted header of the secure item, the encrypted header 
including access rules for the secure item; 

(d) (e) retrieving access privileges associated with the user; 

(e) £f} determining whether the user is permitted to gain access to the secure 
item s e cur e it e ms via the first server machine based on the access privileges when said 
authenticating (b) and (c) are successful; 

{£} (g) permitting th e user to gain access to the secure item secur e it e ms via the 
first server machine when said determining (e) £0 determines that the user is permitted to 
gain access to the secure item secure items via the first server machine; and 

(g) (h) preventing the us e r to gain access to the secure item secur e it e ms via the 
first server machine when said determining (e) £jQ determines that the user is not 
permitted to gain access to the secure item s e cure it e ms via the first server machine. 
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22. (Currently Amended) The A method as recited in claim 2 1 , wh e rein said 
method compris e s further comprising the acts of: 

(h) (i) preventing the us e r from gaining access to the secure item secur e items 
via any of the server machines other than the first server machine when said determining 
(e) determines that the user is permitted to gain access to the secure item secur e it e ms via 
the first server machine. 

23. (Currently Amended) The A method as recited in claim 21, 

wherein said determining (e) £0 further determines whether the user is permitted 
to gain access to the secure item s e cur e it e ms via the first client machine, and 

wherein said permitting (f) (g) operates to permit the user to gain access to the 
secure item s e cur e items via the first client machine and the first server machine when 
said determining (e) £f} determines that the user is permitted to gain access to the secure 
item s e cur e it e ms via both the first client machine and the first server machine. 

24. (Currently Amended) The A method as recited in claim 23, wh e r e in said 
m e thod compris e s further comprising the acts of: 

(h) £i) preventing th e user from gaining access to the secure item s e cure items 
via any of the server machines other than the first server machine when said determining 
(e) (f) determines that the user is permitted to gain access to the secure item s e cur e items 
via the first server machine. 
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25. (Currently Amended) The A method as recited in claim 24, wherein said 
preventing (h) (i}of the user from gaining access to the secure item s e cur e items via any 
of the other server machines comprises reconfiguring at least any of the other server 
machines that previously permitted the user to gain access to secure items therethrough. 

26. (Currently Amended) The A method as recited in claim 25, wherein said 
permitting (f) £g) of th e us e r from gaining access to the secure item s e cur e items via the 
first server machine comprises reconfiguring the first server machine to permit access by 
the user to the secure item secure it e ms via the first server machine. 

27. (Currently Amended) The A method as recited in claim 21 , wherein said 
permitting (f) (g) of the the user from gaining access to the secure item s e cure items via 
the first server machine comprises reconfiguring the first server machine to permit access 
to by the user the secure item secur e items via the first server machine. 

28. (currently amended) The A method as recited in claim 21, wherein e ach 
of th e s e cur e it e ms the secure item is a secured file, the secured file having a format that 
comprises a header including security information as to who and how the secure item can 
be accessed; an encrypted data portion including data of the secured s e cur e file encrypted 
with a file key according to a predetermined cipher scheme, and wherein the header is 
attached to the encrypted data portion to generate the secured file. 
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29. (currently amended) The A method as recited in claim 28, wherein the 
security information in the header of the secured file facilitates the restricted access to 
the secured file. 

30. (currently amended) The A method as recited in claim 28, wherein the 
security information is encrypted with a user key associated with the a user. 

3 1 . (currently amended) The A method as recited in claim 28, wherein the 
security information includes the file key and access rules to the restricted access to the 
secured file. 

32. (currently amended) The A method as recited in claim 28, wherein the file 
key is retrieved to decrypt the encrypted data portion in the secured file when access 
privilege of the user is within access permissions by the access rules. 

33. (currently amended) The A method as recited in claim 31, wherein the 
access rules are expressed in a markup language. 

34. (Currently Amended) A computer readable medium including at least 
computer program code for providing access management to secured content through use 
of a plurality of server machines associated with different locations, said computer 
readable medium comprising: 
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computer program code for receiving, at a first server machine of the plurality of 
server machines, an access request to access a secure item s e cure items from a user of 
from a first client machine at a first location; 

computer program code for authenticating fee a user of the first client machine at 
the first location; 

computer program code for authenticating the first client machine; 

computer program code for retrieving a user key permitting access to an 
encrypted header of the secured item, the encrypted header including access rules for the 
secure item upon authentication of the user and the first client machine; 

computer program code for determining whethe r th e us e r is permitt e d to gain 
access to the secure item s e cure it e ms via the first location is permitted when said 
computer program code for authenticating the first client machine and the user are 
successful; 

computer program code for permitting the us e r to gain access to the secure item 
s e cur e it e ms via the first server machine when said computer program code for 
determining determines that the user is permitted to gain access to the secure item s e cure 
it e ms from the first location; and 

computer program code for preventing th e us e r to gain access to the secure item 
secur e it e ms via the first server machine when said computer program code for 
determining determines that the user is not permitted to gain access to the secure item 
secur e it e ms from the first location. 
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35. (Currently Amended) A computer readable medium including at least 
computer program code for providing access management through use of a distributed 
network of server machines, said computer readable medium comprises: 

computer program code for receiving, at first server machine of the plurality of 
server machines, an access request to access a secure item s e cure items from a user of a 
first client machine; 

computer program code for authenticating a the user of the client machine; 

computer program code for authenticating the first client machine; 

computer program code for retrieving a user key permitting access to an 
encrypted header of the secured item, the encrypted header including access rules for the 
secure item upon authenticating of the user and the first client machine; 

computer program code for retrieving access privileges associated with the user; 

computer program code for determining whether the us e r is p e rmitt e d to gain 
access to the secure item s e cur e it e ms via the first server machine is permitted based on 
the access privileges when said computer program code for authenticating the first client 
machine and the user are successful; 

computer program code for permitting th e us e r to gain access to the secure item 
s e cure items via the first server machine when said computer program code for 
determining determines that the user is permitted to gain access to the secure item secure 
it e ms via the first server machine; and 

computer program code for preventing the us e r to gain access to the secure item 
secure items via the first server machine when said computer program code for 
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determining determines that the user is not permitted to gain access to the secure item 
secure items via the first server machine. 

36. (Currently Amended) An access control system that restricts access to a 
secure item s e cure it e ms , said system comprising: 

a central server having a server module that provides overall access control; and 

a plurality of local servers, each of said servers including a local module that 
provides local access control, 

wherein the access control, performed by said central server or said local servers, 
operates to permit or deny access requests to secured items by requestors, and 

wherei n, based on information stored in an encrypted header of a secure item a 
given requestor, permitted to access the secure item secure it e m s through one or more of 
said local servers, is only able to access the secure item secure items using only a single 
one of said local servers or the central server such that the given requestor can only 
access the secure item s e cur e it e ms through at most one of said local servers at a time. 

37. (currently amended) The A n access control system as recited in claim 36, 
wherein said access control system couples to an enterprise network to restrict access to 
the secure item , which comprises a^secured file, files stored therein. 

38. (currently amended) The An access control system as recited in claim 37, 
wherein the access requests are at least primarily processed in a distributed manner by 
said local servers. 
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39. (currently amended) The A h access control system as recited in claim 38, 
wherein when the access requests are processed by said local servers, the requestors gain 
access to the secured files without having to access said central server. 

40. (currently amended) The An access control system as recited in claim 37, 
wherein the local module can be a copy of the server module so any of the local modules 
can operate independent of said central server and other of said local servers. 

41. (currently amended) The An access control system as recited in claim 37, 
wherein the local module can be a subset of the server module. 

42. (currently amended) The A n access control system as recited in claim 37, 
wherein access permissions for said local servers can be dynamically configured to pass 
a requestor from one of said local servers to another of said local servers, thereby 
enabling access control to be performed by the another of said local servers such as when 
the location of the requestor changes. 

43. (currently amended) The A n access control system as recited in claim 37, 
wherein the secured files are secured by encryption of the secure item th e fil e s . 

44. (currently amended) The A n access control system as recited in claim 37, 
wherein the secure item th e s e cured fil e s are secured by encryption. 
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